Using LNK files to steal NetNTLMv2 hashes while living off the land
First, a bit of history about SCF files, which is what you usually see are being used in blogposts about stealing NetNTLMv2 hashes by dropping files to writable shares. SCF does not work anymore on newer versions of Windows, but we have alternatives.
Shell Command files
Shell Command Files, with the file extension .SCF are a special Windows file type that has been useful in red team engagements or internal penetration tests of windows environments. Or just for Hackthebox.
SCF files are text files, and what made them useful for us pentesters and read teamers was that you could define the path to a .ico file within the file. Windows Explorer then retrieved this file and used it as the icon for the SCF file. Loading an icon file by itself is maybe not that useful, but the path to load the file could be a UNC path pointing to a remote server, meaning we could use SCF files to steal NetNTLMv2 hashes.
The target also just had to open the folder containing the SCF in Windows Explorer for Explorer to try to load the icon, there was no need for them to actually open the file. SMB shares where you have write access was great places to drop SCF files.
SCF is dead, long live LNK
Using icon UNC paths for SCF files does not seem to be working any longer on the lastest version of Windows 10. I don’t know when it stopped working, but I’ve tried it on several installs of Windows 10 20H2. Others seem to have come to the same conclusion.
But, fear not. Even though we can no longer use SCF files, we can still use the trusty old LNK files, a.k.a. Windows shortcuts. With .LNK files you can still define an UNC path for the icon, and Windows tries to load it from the remote server. LNK files are not as easy to craft as SCF files since they are binary files, but we can use the tool Crop from the Farmer toolkit by MDSec. If you want to roll your own tool instead, a C++ implementation based on Microsoft’s example code is trivial.
Stealing hashes while living off the land
If you search for how to steal NetNTLMv2 hashes, most of the information you find will tell you to use Responder to steal the hashes. But what if you don’t have your trusty Kali Linux box or another *nix system to run Responder on? Maybe you have landed on a Windows 10 workstation and managed to elevate your privileges to local administrator. You can also upload files to the target and exfiltrate files from it. But you want to live off the land for OPSEC reasons. Can you still steal some hashes? Spoiler alert: Yes, you can!
The first thing you have to do is to create a SMB share on your workstation. You don’t have to have any files in the share, but there have to be a share that the targets can attempt to authenticate to.
Here have landed on a workstation (WORKSTATION01) logged in as a helpdesk user with local administrator privileges. We first create a local file share called “shared”
After doing some recon we find that our helpdesk user have write access to the \\FILE01\IT share, which seems to be an IT Department share.
We create a .LNK file with Crop from the Farmer toolkit locally on the attacker end, and upload it to WORKSTATION01, where we save it as \\FILE01\IT\@temp.lnk.
It is important to use the IP-address of the system, 10.1.1.4 when creating the file instead of the hostname WORKSTATION01, as Kerberos authentication is used by default in an Active Directory environment when using the hostname to connect to a SMB share, while NTLM authentication is used if we connect using the IP address.
What we do next is to use netsh traceto start a packet capture on the workstation. This as a built-in functionality in Windows, all you need is local administrator privileges. We start a packet capture and wait for someone to browse the share.
netsh trace start capture=yes TCP.AnyPort=445 tracefile="C:\Users\hdvegard\Desktop\trace.etl"
After leaving the capture for some time, we stop the capture.
netsh trace stop
Exfiltrating packet capture and looking for NetNTLMv2 authentication
We now have a packet trace hopefully containing some NetNTLMv2 authentication attempts, and can exfiltrate the file to see if there are any hashes and attempt to crack them.
Having exfiltrated the packet capture, we can convert it to the PCAPNG format using etl2pcapng. There are several tools that can extract the hashes from pcap, or we can do it manually using wireshark. You can also use the NTLMRawUnhide tool (blog post)that works directly on the etl file from netsh without the need to convert the file first.
For this example I used NTLMRawUnhide to extract the hashes. We run the tool, and see that the user ADLAB\dabob has browsed FILE01\IT.
Cracking the password
The last step is to attempt to crack the password. We try with the rockyou wordlist in John The Ripper, and see that dabob‘s password is P@ssword123.
